Skip to content

Commit 495fbb9

Browse files
rabbitstackrabbitstack
committed
fix(ps): Spurious process executable override
If the module is loaded for the process executable, and we don't have the full executable path, override with the one from the image path if it corresponds to the process executable.
1 parent 4dc6121 commit 495fbb9

File tree

2 files changed

+71
-1
lines changed

2 files changed

+71
-1
lines changed

pkg/ps/snapshotter_windows.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import (
2525
"golang.org/x/sys/windows"
2626
"path/filepath"
2727
"strconv"
28+
"strings"
2829
"sync"
2930
"time"
3031

@@ -228,7 +229,10 @@ func (s *snapshotter) AddModule(e *kevent.Kevent) error {
228229
module.SignatureLevel, _ = e.Kparams.GetUint32(kparams.ImageSignatureLevel)
229230
module.SignatureType, _ = e.Kparams.GetUint32(kparams.ImageSignatureType)
230231

231-
if module.IsExecutable() && len(proc.Exe) < len(module.Name) {
232+
if strings.EqualFold(proc.Name, filepath.Base(module.Name)) && len(proc.Exe) < len(module.Name) {
233+
// if the module is loaded for the process executable, and
234+
// we don't have the full executable path, override with
235+
// the one from the image path
232236
proc.Exe = module.Name
233237
}
234238

pkg/ps/snapshotter_windows_test.go

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -467,6 +467,72 @@ func TestRemoveModule(t *testing.T) {
467467
require.Len(t, ps.Modules, 0)
468468
}
469469

470+
func TestOverrideProcExecutable(t *testing.T) {
471+
hsnap := new(handle.SnapshotterMock)
472+
hsnap.On("FindHandles", mock.Anything).Return([]htypes.Handle{}, nil)
473+
psnap := NewSnapshotter(hsnap, &config.Config{})
474+
defer psnap.Close()
475+
476+
evt := &kevent.Kevent{
477+
Type: ktypes.CreateProcess,
478+
Kparams: kevent.Kparams{
479+
kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())},
480+
kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(os.Getppid())},
481+
kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"},
482+
kparams.Cmdline: {Name: kparams.Cmdline, Type: kparams.UnicodeString, Value: `Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`},
483+
kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `Spotify.exe`},
484+
kparams.UserSID: {Name: kparams.UserSID, Type: kparams.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
485+
kparams.StartTime: {Name: kparams.StartTime, Type: kparams.Time, Value: time.Now()},
486+
kparams.SessionID: {Name: kparams.SessionID, Type: kparams.Uint32, Value: uint32(1)},
487+
kparams.ProcessFlags: {Name: kparams.ProcessFlags, Type: kparams.Flags, Value: uint32(0x00000010)},
488+
},
489+
}
490+
require.NoError(t, psnap.Write(evt))
491+
492+
var tests = []struct {
493+
expectedExe string
494+
evt *kevent.Kevent
495+
}{
496+
{`Spotify.exe`,
497+
&kevent.Kevent{
498+
Type: ktypes.LoadImage,
499+
Kparams: kevent.Kparams{
500+
kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())},
501+
kparams.ImagePath: {Name: kparams.ImagePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Dee252aac#\\707569faabe821b47fa4f59ecd9eb6ea\\Microsoft.Developer.IdentityService.ni.exe"},
502+
},
503+
},
504+
},
505+
{`Spotify.exe`,
506+
&kevent.Kevent{
507+
Type: ktypes.LoadImage,
508+
Kparams: kevent.Kparams{
509+
kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())},
510+
kparams.ImagePath: {Name: kparams.ImagePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"},
511+
},
512+
},
513+
},
514+
{`C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`,
515+
&kevent.Kevent{
516+
Type: ktypes.LoadImage,
517+
Kparams: kevent.Kparams{
518+
kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())},
519+
kparams.ImagePath: {Name: kparams.ImagePath, Type: kparams.UnicodeString, Value: "C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe"},
520+
},
521+
},
522+
},
523+
}
524+
525+
for _, tt := range tests {
526+
t.Run(tt.expectedExe, func(t *testing.T) {
527+
evt := tt.evt
528+
require.NoError(t, psnap.AddModule(evt))
529+
ok, ps := psnap.Find(uint32(os.Getpid()))
530+
require.True(t, ok)
531+
assert.Equal(t, tt.expectedExe, ps.Exe)
532+
})
533+
}
534+
}
535+
470536
func init() {
471537
reapPeriod = time.Millisecond * 45
472538
}

0 commit comments

Comments
 (0)